The Importance for Businesses to Establish a Security and Maintenance Plan for Personal Data ─ From the Perspective of Judicial Practice (Taiwan)

In recent years, there have been cases of hackers intruding into business systems to steal consumers’ personal data and using the information to commit fraud. Since fraud cases are challenging to detect and seek compensation from the criminals, consumers often seek compensation from the businesses that leaked their data. According to the provisions of the Personal Data Protection Act (hereinafter, the “PDPA”), businesses have the responsibility to safeguard the personal data they possess based on the principle of “Presumption of Negligence.” This means that businesses may only be exempt from liability when they can provide evidence to prove that they were not negligent in the data breach. Therefore, in practice, when a personal data breach occurs, it is crucial for businesses to provide evidence that they have implemented proper security measures as required by the PDPA, thereby proving that they were not negligent in the incident’s occurrence.

1. What is the “Security and Maintenance Plan for Personal Data” as regulated by the PDPA?

In accordance with the current PDPA, any company or individual retaining personal data (hereinafter referred to as “businesses”) must implement appropriate security measures to prevent the theft, alteration, damage, destruction, loss, or unauthorized disclosure of the personal data they possess. Moreover,  businesses operating in specific industries identified by the competent authorities are mandated  to establish a security and maintenance plan for safeguarding Personal Data  and guidelines for the disposal of Personal Data upon Business Termination (hereinafter referred to as the “Security and Maintenance Plan”) in line with the applicable regulations (see Article 27 of the PDPA). Various industries have already been designated by their respective competent authorities to establish the Security and Maintenance Plan, including finance, manufacturing, technical services, tourism, transportation, retail sales in non-specialized stores, and digital economy-related sectors announced last year. Once these businesses meet specific criteria (such as achieving a certain capital amount or holding a particular amount of consumer personal data), they are required to create a Security and Maintenance Plan in compliance with the regulations set forth by the competent authorities. The Security and Maintenance Plan developed by businesses must encompass the aspects outlined in the Regulations for Security and Maintenance of Personal Data specified by the competent authorities, and businesses can utilize templates provided by the authorities when formulating their Security and Maintenance Plan.

2. Brief analysis of court judgments in Taiwan

In court judgments in Taiwan, there are cases where businesses have been found liable to compensate injured consumers due to their failure to establish a Security and Maintenance Plan or implement proper security measures. For instance, in the 112-Shang-Zi No.656 Decision of the Taiwan High Court, the court determined that the business was negligent and violated Article 27 of the PDPA and Regulations for Security and Maintenance for Personal Data for the industry. The business failed to prove that it had taken proper security measures or precautions regarding consumer personal data before the data breach occurred. It was determined that there was an adequate causal relationship between the business’s negligence and the mental distress suffered by the consumers. Consequently, the business was required to compensate the consumers for their non-pecuniary damages.

In fact, in previous similar cases, it is also common for businesses to fail to establish a Security and Maintenance Plan and fail to prove that their responsibilities were fulfilled, thus failing to overturn the presumption of negligence. For example, refer to the 106-Nang-Jian-Zi No.1450 civil decision of the Taiwan Tainan District Court and 106-Bei-Xiao-Zi No. 2161 small-claim civil decision of the Taiwan Taipei District Court. On the contrary, if a business can provide evidence that it has established and implemented a Security and Maintenance Plan and has adopted security measures in accordance with the PDPA, it may have a chance to overturn the presumption of negligence (refer to the 107-Xiao-Zi No. 6 civil decision of the Taiwan Shilin District Court). The above cases highlight the importance of businesses establishing and implementing a comprehensive Security Maintenance Plan.

3. Conclusion

Last year (2023), the amendments to the PDPA increased the administrative fines for failing to adopt proper security measures or establish a Security and Maintenance Plan to no less than NT$20,000 but no more than NT$2 million. Those who fail to make corrections within the timeframe specified by the competent authority may be subject to further administrative fines ranging from NT$150,000 to NT$15 million. Businesses should place greater emphasis on establishing and implementing the Security and Maintenance Plan, seek assistance from professionals in drafting relevant plans and internal operating procedures, and keep relevant records of their implementation. This will enable them to provide evidence that their obligations have been fulfilled when addressing complaints from consumers or clients, thereby reducing potential compensation risks.